Budgeting for cybersecurity: How much is enough?
Budgeting for cybersecurity: How much is enough?
“We believe that data is the phenomenon of our time,” IBM CEO Ginni Rometty said at a recent cybersecurity conference. “It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
Expected to surpass $1 Trillion by 2021, cybersecurity spending stands at roughly 3500% of 2004 levels. This parallels—though not closely enough—the rise in cybercrime. Juniper Research projects that by 2022, the costs of cybercrime will have exceeded $8 Trillion1. The Ponemon Institute pegs the average cost of a data breach to the affected organization at $3.6 Million2.
Yet like most relatively new spending requirements, cybersecurity lacks definition. How much does the average corporation need to spend? How much is enough?
Herein lies the trouble with cybersecurity: you can never really spend enough. Any student of military history will tell you that, given similar technology, the attacker has a positional advantage in most engagements. Moore’s law predicts rough parity between the technologies of attack and defense. However, cybercriminals have another advantage: they can specialize, directing all of their resources and energies to one end and one end only.
This means that defenders must spend smart; they must have the strategy, personnel, and infrastructure necessary to maximize any technology investment. But although 59% of companies report increasing cybersecurity budgets, only 4% say they have assessed the implications of their strategies3. Organizations rarely have the right people or infrastructure in place when they invest in security tech.
Decision-makers face a difficult truth: there is no such thing as perfect security. Cyber risks evolve according to Moore’s law, meaning that investment in technology can never keep pace with emerging threats. Risk will endure. Even if it were possible, no organization on earth could afford to eliminate cyber risk: the price tag would be infinite.
In order to spend smart, executives must evaluate their risk exposure. What threats does our organization face? Which of those threats are most probable? Which have succeeded in our industry? Which have shown the greatest destructive potential? For any given threat vector X, risk exposure is equal to the cost of fixing X multiplied by the probability of X occurring.
Of course, there is no panacea. There never will be. It is almost certain that at some point, attackers will compromise every system—will slip over, under, or around every line of defense.
Yet organizations can greatly enhance security through a simple shift of paradigm. Today, too many companies seem to regard cybercrime as a vague threat, best combatted with blind budget allocations. Executives should instead approach cybersecurity like insurance adjusters, treating cybercrime as a set of risks to assess and manage.
A risk management paradigm would bring multiple benefits.
First, it would decrease strategic blindness. Risk calculus demands that organizations observe and analyze the full range of threat vectors. Once executives accept that hackers will probably breach their organization at some point, they can begin planning for recovery as well as prevention.
Second, risk calculus would mitigate the effect of bias and hysteria on cyber spending. Organizations can apply the same methods as actuaries, mathematical methods that, if not strictly objective, nonetheless allow for a more quantifiable approach to impending threats. For instance, despite the press surrounding DDoS attacks and zero-day exploits, internal threats regularly account for between 40% and 60% of attacks, depending on the study and the year. An approach less reliant on subjective analysis would invest accordingly, in staff training and monitoring as well as in defense against external malice.
Risk management also entails partnership. Without virtually unlimited resources, no single organization can manage the manifold demands of cybersecurity—the need to detect, prepare for, and address the growing range of cyber threats, as well as to comply with privacy and security regulations. An external vendor can direct their entire focus to cybersecurity. Xledger, for example, spends substantial resources on hardware, software, and personnel in order to safeguard client data.
1Juniper Research, “Cybercime & the Internet of Threats 2017.”
2Ponemon Institute, “2017 Cost of Data Breach Study.”
3EY, “Cybersecurity Regained: Preparing to face cyber attacks,” 2017.
Like this content? Subscribe for more!
Recieve valuable content:videos, webinars, whitepapers, industry updates
All straight to your inbox!